That Darn Amanda

As in previous posts, we find that the end game is to install password stealing components. Some of the subject lines look like“FaceBook message: Very Beautiful facebook girl Dance Video! (Last rated by __insert name here__)”“FaceBook message: facebook members Dancing In Striptease (Last rated by __name here__)”“FaceBook message: Watch the Oooh! Super Beautiful Girl Dancing (Last rated by __name here__)”

Clicking on the link in turn redirects the user’s browser to another set of sites hosting a video, prompting the user to download and install Flash_Adobe11.exe. Don’t bother, it’s still not the real flash player. Instead, Zbot malware is installed. Here is a censored screenshot of one of the attacking sites:

ThreatFire is preventing the malware from running on a fair number of community systems right now. Do not run Flash_Adobe11.exe from these sites.